New pkg audit FNs
swills at FreeBSD.org
Mon Oct 9 21:09:44 UTC 2017
On 10/09/2017 16:34, Jan Beich wrote:
> Matthew Seaman <matthew at FreeBSD.org> writes:
>> On 09/10/2017 16:57, Roger Marquis wrote:
>>> Can anyone say what mechanisms the ports-security team might have in
>>> place to monitor CVEs and port software versions?
I've been hacking at a prototype for scanning what I can find:
It's more of a proof of concept than anything. The entry for this issue
is still incomplete though, and the web page for it lists it as "waiting
>>> The reason I ask is CVE-2017-12617 was announced almost a week ago yet
>>> there's no mention of it in the vulnerability database The tomcat8
It looks like it's there to me:
And added days ago.
>>> port's Makefile also still points to the older, vulnerable version.
True, the maintainer needs to update it. I've copied him on this message.
>>> Tomcat is one of those popular, internet-facing applications that sites
>>> need to check and/or update quickly when CVEs are released and most
>>> admins probably don't expect "pkg audit" to throw false negatives.
>> Ports-secteam (and secteam, for that matter) will update VuXML when they
>> know about vulnerabilities that affect FreeBSD ports, however the usual
>> mechanism is that the port maintainer either updates VuXML themselves
>> directly or tells the appropriate people that there are vulnerabilities
>> that need to be recorded.
Correct, but it doesn't have to be the port maintainer, anyone can
submit a bug report with a patch to ports/security/vuxml/vuln.xml
> What happened to querying CVE database using CPE strings? ENOTIME is a
> common disease in volunteer projects, ports-secteam@ is no exception.
> Finding missing entries is trivial if one looks at Debian tracker.
> Let's pick something popular e.g., tiff-4.0.8 has 6 CVEs none of which
> are fixed in the port.
Indeed, I've wanted to try matching up ports/packages to the CVE entries
by using CPE data. I will try to look at that again, but as always
I'll try to add the missing tiff entries and any others anyone cares to
More information about the freebsd-ports